I need some help with Rout-maps on a cisco 3825

I currently have a cisco 3825 with one active internet connection and one we are going to test.  I have both circuits protected by firewalls.  I have deployed and ASA5510 and a PIX.  The existing circuit with the PIX is up and fully operational.  I am trying to use route maps on the 3825 to drive certain hosts through the new circuit with the ASA.  If I use the ASA inside interface for the gateway on the host, internet traffic is available. If I place my route map statements into the 3825 and change the gateway of the host to the 3825, the internet traffic bypasses the ASA and goes out its default route, the PIX.  I have attached a sanitized config from the 3825 and a visio of the set up....any help folks?

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname norfolk3800
no aaa new-model
!
resource policy
!
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate wic 3
ip cef
!
!
!
!
ip domain name MDVNF.COM
ipx routing 0000.0c58.c289
!
!
!
!
!
interface Multilink1
 ip address 128.105.0.1 255.255.0.0
 delay 2000
 ipx network 105
 ppp multilink
 ppp multilink interleave
 ppp multilink group 1
!
interface GigabitEthernet0/0
 description MDVADMIN
 ip address 10.100.0.1 255.255.0.0 secondary
 ip address 128.1.250.0 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 no ip redirects
 ip policy route-map traffic-to-test
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
 ipx network 541001
 ipx type-20-propagation
!
interface GigabitEthernet0/1
 description Wharehouse
 ip address 128.2.250.0 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
!
router eigrp 500
 redistribute connected
 network 10.0.0.0
 network 128.1.0.0
 network 128.2.0.0
 network 128.104.0.0
 network 128.105.0.0
 network 128.109.0.0
 network 128.203.0.0
 network 128.207.0.0
 network 128.208.0.0
 no auto-summary
!
ip forward-protocol udp 24576
ip route 0.0.0.0 0.0.0.0 128.1.0.13
!
no ip http server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
logging trap debugging
logging 128.1.50.2
access-list 50 permit 128.1.50.2
route-map Traffic-to-test permit 10
 match ip address 50
 set ip next-hop 128.1.70.100
!
route-map traffic-to-test permit 10
!
!
!
!
ipx router eigrp 500
 network 541001
 network 104
 network 105
 log-neighbor-changes
!
!
!
!
!

!
end


Dual-Internet-Connections.jpg
redcell5Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Use an extended acl for the route-map match statement

access-list 150 permit ip host 128.1.50.2 any
route-map Traffic-to-test permit 10
 match ip address 150
 set ip next-hop 128.1.70.100

0
redcell5Author Commented:
I knew you would have the answer LR, but I don't think it is working.  I see no traffic on my ASA and my router logs keep giving this entry:
72417458: *Jul  8 12:04:39.722: IP: s=128.1.50.2 (GigabitEthernet0/0), d=74.125.113.102, len 40, FIB policy match
72417459: *Jul  8 12:04:39.722: IP: s=128.1.50.2 (GigabitEthernet0/0), d=74.125.113.102, len 40, FIB policy rejected - normal forwarding
72417460: *Jul  8 12:04:39.734: IP: s=128.1.50.2 (GigabitEthernet0/0), d=74.125.113.102, len 40, FIB policy match
72417461: *Jul  8 12:04:39.734: IP: s=128.1.50.2 (GigabitEthernet0/0), d=74.125.113.102, len 40, FIB policy rejected - normal forwarding
0
redcell5Author Commented:
also have you heard of this?
Policy-Routing doesn't want to policy-route if the "set ip next-hop"
address is not directly adjacent.

When I look at my sh ip route I don't show my new ISP router connected....it's IP address should be 98.141.40.129 should I change this to be my next hop?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

redcell5Author Commented:
OK...I put this statement in
route-map Traffic-to-test permit 10
 match ip address 50
 set ip next-hop recursive 128.1.70.100
and it started working, but it made my router an island.  I could not connect to any of the other interfaces or networks...I had to dump the route map to be able to see the other networks.

Why did this happen and how to parse the traffic in such a way that only internet traffic should go out of the route map?
0
lrmooreCommented:
>Policy-Routing doesn't want to policy-route if the "set ip next-hop" address is not directly adjacent.
No next hop can be anything except adjacent.
Given your subnet mask on the router, the ASA must be directly adjacent, no?

>interface GigabitEthernet0/0
  ip address 128.1.250.0 255.255.0.0
>set ip next-hop 128.1.70.100

I just set this exact scenario up on a customer router today and it works flawlessly.
> match ip address 50
Anything below 100 is a standard acl. Did you use an extended acl as I suggested?
0
redcell5Author Commented:
That was my fault LR, I did change the access-list.  That was from the older config.  however, when I did that and applied it, I lost connectivity to all of my other interfaces.  They couldn't get to me and I couldn't get to them.  Why would that happen?  Do I need to route non-internet traffic another way?  I only want internet traffic to go out of the route map above.

Here is the entire sanitized config w/o the route map (had to dump it because it stopped production)

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname norfolk3800
!
!
no logging buffered
no logging console
!
no aaa new-model
!
resource policy
!
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate wic 3
ip cef
!
!
!
!
ip domain name MDVNF.COM
ipx routing 0000.0c58.c289
!
!
!
!
interface Multilink1
 ip address 128.105.0.1 255.255.0.0
 delay 2000
 ipx network 105
 ppp multilink
 ppp multilink interleave
 ppp multilink group 1
!
interface GigabitEthernet0/0
 description MDVADMIN
 ip address 10.100.0.1 255.255.0.0 secondary
 ip address 128.1.250.0 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 no ip redirects
 ip policy route-map traffic-to-test
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
 ipx network 541001
 ipx type-20-propagation
!
interface GigabitEthernet0/1
 description Wharehouse
 ip address 128.2.250.0 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
!
interface Serial0/0/0
 description Interface to DeCA
 ip address 172.16.253.34 255.255.255.252
!
interface Serial0/0/1
 description WAN to JESSUP
 ip address 128.109.0.1 255.255.0.0
!
interface Serial0/0/2
 description WAN to Azalea
 ip address 128.104.0.1 255.255.0.0
 ipx network 104
 ipx type-20-propagation
!
interface Serial0/0/3
 no ip address
 shutdown
 clock rate 2016000
 dce-terminal-timing-enable
!
interface Serial0/1/0
 description WAN Link To Chester - Verizon 793487
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink group 1
!
interface Serial0/1/1
 description MDV-CPF MCI Frame Relay ZABHNPG40001 DLCI 100
 no ip address
 encapsulation frame-relay
 clock rate 2016000
 dce-terminal-timing-enable
!
interface Serial0/1/1.1 point-to-point
 description wan link to Ontario MCI ZABHNPG70001 DLCI 105
 ip address 128.208.0.1 255.255.0.0
 shutdown
 frame-relay class vcmdv
 frame-relay interface-dlci 105  
!
interface Serial0/1/1.2 point-to-point
 shutdown
!
interface Serial0/1/1.3 point-to-point
 description wan link to Fife MCI ZABHNPG80001 DLCI 115
 ip address 128.203.0.1 255.255.0.0
 frame-relay class vcmdv
 frame-relay interface-dlci 115  
!
interface Serial0/1/1.4 point-to-point
 description wan link to Stk Perf Drive MCI ZABHTJRV0001 DLCI 120
 ip address 128.207.0.1 255.255.0.0
 shutdown
 frame-relay class vcmdv
 frame-relay interface-dlci 120  
!
interface Serial0/1/2
 description WAN Link To Chester - COX 007131
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink group 1
!
interface Serial0/1/3
 description WAN Link To Chester - COX 007132
 no ip address
 encapsulation ppp
 ipx network 7132
 no fair-queue
 ppp multilink group 1
!
interface Serial0/2/0
 description Point to point Richmond CAVTEL
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink group 1
!
interface Serial0/2/1
 description P2P to Stockton
 ip address 10.207.0.20 255.255.0.0
!
interface Serial0/2/2
 description P2P to Ontario
 ip address 10.208.0.20 255.255.0.0
!
interface Serial0/2/3
 description P2P to FIFE
 ip address 10.203.0.20 255.255.0.0
!
interface Serial0/3/0
 description P2P to PA
 ip address 10.128.100.2 255.255.255.0
!
interface Serial0/3/1
 no ip address
 clock rate 2016000
 dce-terminal-timing-enable
!
interface Serial0/3/2
 no ip address
 shutdown
 clock rate 2016000
 dce-terminal-timing-enable
!
interface Serial0/3/3
 no ip address
 shutdown
 clock rate 2016000
 dce-terminal-timing-enable
!
router eigrp 500
 redistribute connected
 network 10.0.0.0
 network 128.1.0.0
 network 128.2.0.0
 network 128.104.0.0
 network 128.105.0.0
 network 128.109.0.0
 network 128.203.0.0
 network 128.207.0.0
 network 128.208.0.0
 no auto-summary
!
ip forward-protocol udp 24576
ip route 0.0.0.0 0.0.0.0 128.1.0.13
ip route 65.207.97.178 255.255.255.255 128.105.0.2
ip route 128.5.251.200 255.255.255.255 128.105.0.2
ip route 141.152.176.0 255.255.255.0 128.1.0.13
ip route 172.16.0.0 255.255.0.0 172.16.253.33
ip route 207.42.153.4 255.255.255.255 128.1.0.13
ip route 208.249.152.0 255.255.255.0 128.1.0.13
!
no ip http server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
map-class frame-relay vcmdv
 frame-relay end-to-end keepalive mode passive-reply
logging trap debugging
logging 128.1.50.2
access-list 60 permit 128.1.50.2
access-list 60 permit 128.1.0.90
!
!
!
!
ipx router eigrp 500
 network 541001
 network 104
 network 105
 log-neighbor-changes
!
!
!
!
!
control-plane
!
!

0
lrmooreCommented:
If you just want www traffic to go the other way, try this

access-list 150 permit tcp host 128.1.50.2 any eq www
route-map traffic-to-test permit 10
 match ip address 150
 set ip next-hop 128.1.70.100
0
redcell5Author Commented:
how can I get traffic destined for an internat web site at a different location not to try to traverse this path/route-map?
0
lrmooreCommented:
Deny it first in the acl

access-list 150 deny tcp host 128.1.50.2 host <website ip> eq www
access-list 150 permit tcp host 128.1.50.2 any eq www

You cannot use the fqdn in an acl - ie. host www.google.com, it must be an IP address.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
redcell5Author Commented:
Genius
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.